short-term - A temporary set of credentials that are generated by AWS STS using your long-term credentials in combination with your MFA device serial number (either a hardware device serial number or virtual device ARN) and one time token code. Your short term credentials are the credentials that are actively utilized by the AWS SDK in use.

If you haven't yet enabled multi-factor authentication for AWS API access, check out the AWS article on doing so.

Installation:

Option 1

$ pip install aws-mfa

Option 2

1. Clone this repo
2. $ python setup.py install

Credentials File Setup

In a typical AWS credentials file (located at ~/.aws/credentials), credentials are stored in sections, denoted by a pair of brackets: []. The [default] section stores your default credentials. You can store multiple sets of credentials using different profile names. If no profile is specified, the [default] section is always used.

By default long term credential sections are identified by the convention [<profile_name>-long-term] and short term credentials are identified by the typical convention: [<profile_name>]. The following illustrates how you would configure you credentials file using aws-mfa with your default credentials:

The default naming convention for the credential section can be overriden by using the --long-term-suffix and
--short-term-suffix command line arguments. For example, in a multi account scenario you can have one AWS account
that manages the IAM users for your organization and have other AWS accounts for development, staging and production
environments.

After running aws-mfa once for each environment with a different value for --short-term-suffix, your credentials
file would read:

This allows you to access multiple environments without the need to run aws-mfa each time you want to switch
environments.

If you don't like the a long term suffix, you can omit it by passing the value none for the --long-term-suffix
command line argument. After running aws-mfa once for each environment with a different value for
--short-term-suffix, your credentials file would read:

Usage

--device arn:aws:iam::123456788990:mfa/dudeman
The MFA Device ARN. This value can also be provided
via the environment variable 'MFA_DEVICE' or the
~/.aws/credentials variable 'aws_mfa_device'.
--duration DURATION The duration, in seconds, that the temporary
credentials should remain valid. Minimum value: 900
(15 minutes). Maximum: 129600 (36 hours). Defaults to
43200 (12 hours), or 3600 (one hour) when using
'--assume-role'. This value can also be provided via
the environment variable 'MFA_STS_DURATION'.
--profile PROFILE If using profiles, specify the name here. The default
profile name is 'default'. The value can also be
provided via the environment variable 'AWS_PROFILE'.
--long-term-suffix LONG_TERM_SUFFIX
To identify the long term credential section by
[<profile_name>-LONG_TERM_SUFFIX]. Use 'none' to
identify the long term credential section by
[<profile_name>]. Omit to identify the long term
credential section by [<profile_name>-long-term].
--short-term-suffix SHORT_TERM_SUFFIX
To identify the short term credential section by
[<profile_name>-SHORT_TERM_SUFFIX]. Omit or use 'none'
to identify the short term credential section by
[<profile_name>].
--assume-role arn:aws:iam::123456788990:role/RoleName
The ARN of the AWS IAM Role you would like to assume,
if specified. This value can also be provided via the
environment variable 'MFA_ASSUME_ROLE'
--role-session-name ROLE_SESSION_NAME
Friendly session name required when using --assume-
role. By default, this is your local username.

Argument precedence: Command line arguments take precedence over environment variables.